[Freeipa-users] sudden ipa errors.
Rob Crittenden
rcritten at redhat.com
Thu Sep 20 18:28:17 UTC 2012
Nathan Lager wrote:
>
>
> On 09/20/2012 11:43 AM, Rob Crittenden wrote:
>> Lager, Nathan T. wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Rob Crittenden" <rcritten at redhat.com> To: "Nathan Lager"
>>>> <lagern at lafayette.edu> Cc: freeipa-users at redhat.com Sent:
>>>> Wednesday, September 19, 2012 4:35:30 PM Subject: Re:
>>>> [Freeipa-users] sudden ipa errors. Nathan Lager wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>>
>>>>>
>>>>>
>>>>> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>>>>>> Dmitri Pal wrote:
>>>>>>>
>>>>>>> Rob, keytab and kerberos part seems to be fine, ldap
>>>>>>> works too. Can it be one of the certs? May be some cert
>>>>>>> expired?
>>>>>>
>>>>>> No, the error is coming from GSSAPI, it is unfortunately
>>>>>> completely useless. I think we've pretty well narrowed down
>>>>>> the problem to httpd/mod_auth_kerb but I don't know yet if
>>>>>> this is a configuration issue or a bug.
>>>>>>
>>>>>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
>>>>> Sure, as far as I know its completely stock, aside from the
>>>>> krb password auth change.
>>>>
>>>> Yup, configuration looks fine.
>>>>
>>>> Ok, let's eliminate the ipa tool as the problem and try curl:
>>>>
>>>> Create a file test.json with these contents:
>>>>
>>>> {"method":"batch","params":[[
>>>> {"method":"user_show","params":[["admin"],{"all":false}]}
>>>> ],{}],"id":1}
>>>>
>>>> then run this:
>>>>
>>>> curl -H "Content-Type:application/json" -H
>>>> "Accept:application/json" -H "Accept-Language:en" -H "Referer:
>>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u :
>>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST
>>>> https://caroline0.lafayette.edu/ipa/json
>>>>
>>> Seems to be running into the same trouble.
>>>
>>> [lagern at caroline0 PROD ~]$ curl -H
>>> "Content-Type:application/json" -H "Accept:application/json" -H
>>> "Accept-Language:en" -H "Referer:
>>> https://caroline0.lafayette.edu/ipa/xml" --negotiate -u :
>>> --cacert /etc/ipa/ca.crt -d @test.json -X POST
>>> https://caroline0.lafayette.edu/ipa/json <!DOCTYPE HTML PUBLIC
>>> "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal
>>> Server Error</title> </head><body> <h1>Internal Server
>>> Error</h1> <p>The server encountered an internal error or
>>> misconfiguration and was unable to complete your request.</p>
>>> <p>Please contact the server administrator, root at localhost and
>>> inform them of the time the error occurred, and anything you
>>> might have done that may have caused the error.</p> <p>More
>>> information about this error may be available in the server error
>>> log.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at
>>> caroline0.lafayette.edu Port 443</address> </body></html>
>>
>> Ok, need to gather some more info:
>>
>> # kvno HTTP/caroline0.lafayette.edu # klist -kt
>> /etc/httpd/conf/ipa.keytab
>>
> [root at caroline0 PROD ~]# kvno HTTP/caroline0.lafayette.edu
> HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU: kvno = 3
> [root at caroline0 PROD ~]# klist -kt /etc/httpd/conf/ipa.keytab
> Keytab name: WRFILE:/etc/httpd/conf/ipa.keytab
> KVNO Timestamp Principal
> ---- -----------------
> --------------------------------------------------------
> 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 2 02/03/12 16:31:27 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 2 02/03/12 16:31:28 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
> 3 09/19/12 15:33:53 HTTP/caroline0.lafayette.edu at SYSTEMS.LAFAYETTE.EDU
>
It may be nothing, but I wonder why kvno 2 has 6 keys and 3 has only 4.
Did you change the available encryption types?
Can you re-run the klist command with -e as well? klist -ekt ...
rob
More information about the Freeipa-users
mailing list